- North Korean Hacker group Lazarus ran a 2024 cyber campaign targeting a decentralized finance company.
- The attackers used social engineering to deliver cross-platform Malware called PondRAT, ThemeForestRAT, and RemotePE.
- Initial contact happened via fake trading company accounts and scam scheduling websites imitating Calendly and Picktime.
- The attack led to credential theft, system discovery, and installation of different Remote Access Trojans (RATs).
- The campaign likely used a Chrome browser zero-day exploit to gain initial entry before switching to more advanced tools.
A cyberattack campaign by the North Korea-linked group Lazarus was detected in 2024, with Hackers targeting an employee of a decentralized finance (DeFi) organization. The incident involved the distribution of three different types of malware—PondRAT, ThemeForestRAT, and RemotePE—to compromise company networks.
Researchers at NCC Group’s Fox-IT reported that the hackers started by impersonating a trading company employee on Telegram. They then used fake websites that looked like popular scheduling tools to engage the victim and arrange a meeting. After gaining access to the system, the attackers deployed a loader named PerfhLoader, which installed a simplified form of existing malware known as PondRAT.
“From there, the actor performed discovery from inside the network using different RATs in combination with other tools, for example, to harvest credentials or proxy connections,” said Fox-IT’s Yun Zheng Hu and Mick Koomen. The hackers continued the attack by switching from PondRAT to ThemeForestRAT, and later cleaned up after themselves and installed a more sophisticated tool called RemotePE.
Fox-IT stated that the initial access point is not fully confirmed, but there is some evidence that a then-unknown Chrome browser vulnerability was used. Alongside PondRAT, the attackers installed additional tools such as a keylogger, screenshot utility, Chrome credential and cookie stealer, and proxies including MidProxy and Proxy Mini. Tools like Mimikatz, used to collect passwords, were also found.
The malware programs enabled functions like monitoring for new remote desktop sessions, running shell commands, managing files, and launching further attacks or hiding activity. Fox-IT noted that Cybersecurity-advisories/aa21-048a” target=”_blank” rel=”noopener”>PondRAT has been active since at least 2021, and ThemeForestRAT displays similarities to malware used in the 2014 Sony Pictures Entertainment attack.
RemotePE, written in C++, is a more advanced remote access tool delivered via a chain of loaders and is likely intended for high-value targets.
Fox-IT describes the approach as moving from basic tools like PondRAT for initial compromise, then upgrading to more complex malware for broader control, all while minimizing detection.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Trump Calls Emergency Meeting After Court Rules Tariffs Illegal
- Starknet Hit by Multiple Outages After Latest Grinta Upgrade
- Figure Targets $526M IPO Amid Surge in Blockchain Public Listings
- Shadow AI Threatens Data Privacy as Employees Bypass Controls
- Lula Convenes BRICS Virtual Summit to Respond to Trump Tariffs
